Explore and manage Kubernetes runtime incidents

Runtime incidents provide visibility into suspicious or malicious activity occurring in running Kubernetes workloads. Runtime detection uses eBPF -based (extended Berkeley Packet Filter) telemetry together with Kubernetes and cloud context to monitor behavior in real time. To learn more about how runtime works, review Deploy and manage cluster sensors.

⚠️

Use the Command Platform to access Container Runtime Security

Access Container Runtime Security from the Command Platform to authenticate and take action on findings. If you open Cloud Security outside the Command Platform, you can view detections, but some features are unavailable.

To view runtime incidents:

Log in to the Command Platform .
Go to Controls & Compliance > Runtime.
Click Manage Rules and Policies. The Container Runtime Security feature opens to the Threat Detection page.
Click Runtime Incidents.

At the top of the page, you can see:

The clusters and accounts currently monitored
Available filters to narrow results
Search capabilities for specific entities

Search runtime incidents

You can filter runtime incidents using standard parameters such as:

Account
Region
Cluster
Namespace
Workload
Severity
Threat type
Status

You can also perform free-text searches based on specific entities using the format entity:value. Examples:

Process
- Find incidents where the bash process was executed: process:bash
File
- Find incidents involving the wget binary: file:wget
- Find incidents where /etc/passwd was accessed: file:/etc/passwd
DNS
- Find incidents where a DNS query was made to evil.com: DNS:evil.com
- Find incidents contacting api.example.com: DNS:api.example.com
Network
- Find incidents with connections to or from an IP address: network:192.168.1.10
- Find incidents involving traffic on port 443: network:443
HTTP
- Find incidents with HTTP GET requests to /login: HTTP:GET /login
- Find incidents with HTTP POST requests to /api/v1/data: HTTP:POST /api/v1/data
Cloud API
- Find incidents where EC2 instances were started: CloudAPI:ec2:StartInstances
- Find incidents involving S3 bucket listing activity: CloudAPI:s3:ListBuckets

Group runtime incidents by context

You can group runtime incidents to improve investigation flow. Incidents can be grouped by Threat, Account, Host, and more.

You can switch between grouped and ungrouped views at any time. Grouping helps you:

Recognize attack patterns
Isolate affected workloads
Perform batch status updates
Reduce triage time

Update incident status

Each runtime incident includes a status to indicate its investigation state. You can update status from the incident details view or the incidents table. Keeping statuses updated helps:

Prioritize high-impact issues
Track investigation progress
Improve reporting and auditing

Available statuses:

Status	Meaning
Open	Newly detected incident requiring review
Investigating	Analysis and response are in progress
Dismissed	Determined to be benign or not relevant
Resolved	Confirmed issue was remediated and closed

New incidents start in the Open state. Resolved and dismissed incidents are hidden from the default view to reduce noise.

To update incident status:

Select one or more incidents.
Click Change Status.
Select a lifecycle state.

Status updates apply immediately.

Investigate a runtime incident

Selecting an incident opens the investigation view. From the investigation view, you can:

Accept the risk or change investigation status
Identify the affected workload and cluster and browse related events (Graph)
- Note: Each event in the timeline is selectable
Review attack timeline details and affected assets and implement a network policy and Seccomp profile (Story)
Review other impacted assets if the threat is exploited (Blast radius)
Implement remediations for the workload and affected resources (Response)